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State  Tracking  of  Uncertain  Hybrid  Concurrent  Systems1 

Emmanuel  Benazera2  and  Louise  Trave-Massuyes3  and  Philippe  Dague4 


Abstract.  In  this  paper  we  propose  a component-based  hybrid  for- 
malism, that  represents  physical  phenomena  by  combining  concur- 
rent automata  with  continuous  uncertain  dynamic  models.  The  for- 
malism eases  the  modeling  of  complex  physical  systems,  and  adds 
concurrency  to  the  supervision  of  hybrid  systems.  Uncertainties  in 
the  model  are  integrated  as  probabilities  at  the  discrete  level  and  in- 
tervals at  the  continuous  level.  Our  modeling  framework  is  rather 
generic  while  focusing  on  the  construction  of  intelligent  autonomous 
supervisors  by  integrating  a continuous/discrete  interface  able  to  rea- 
son on-line  in  any  region  of  the  physical  system  state-space,  for  be- 
havior simulation,  diagnosis  and  system  tracking. 

1 INTRODUCTION 

In  the  past  few  years,  numerous  works  have  been  presented  to  model 
embedded  systems  with  hybrid  models  and  reason  about  them  for 
simulation,  diagnosis  [9]  or  verification  [1]  purposes.  The  model- 
ing framework  usually  expresses  the  different  operating  modes  of 
the  system  as  a set  of  finite  automata  and  associates  to  each  mode 
continuous  knowledge  encoded  through  standard  numeric  differen- 
tial equations.  In  this  paper  we  propose  a component-based  hybrid 
formalism,  that  represents  physical  phenomena  by  combining  con- 
current automata  with  continuous  uncertain  dynamic  models.  How- 
ever it  is  not  sufficient  to  add  continuous  knowledge  to  automata,  be- 
cause moving  between  operating  modes  requires  the  automatic  con- 
struction of  the  structure  of  the  newly  assembled  continuous  model. 
It  means  computing  both  the  characterization  of  the  region  of  the 
state-space  of  the  operating  mode  (denoted  as  a configuration),  and 
a proper  causal  ordering  between  the  active  variables  in  that  mode. 
No  pre-study  of  the  behavior  of  the  physical  system  is  required  to 
determine  the  state-space  regions  associated  with  the  current  sys- 
tem configuration! s)  because  the  search  at  continuous  level  is  casted 
into  a boolean  constraint  satisfaction  problem.  A reasoning  continu- 
ous/discrete interface  (C/D  I)  is  thus  added,  which  provides  an  on- 
line generation  of  the  characterization  of  the  new  model  structure  by 
making  use  of  enhanced  Truth  Maintenance  techniques  [18]  on  the 
logical  model.  This  is  keypoint  to  achieve  the  diagnosis  of  the  hy- 
brid system  for  which  detection  is  provided  by  the  continuous  layer 
and  state  identification  is  performed  at  the  discrete  logical  level  by 
searching  for  the  current  configuration  consistent  with  observations. 
At  the  same  time,  the  logical  framework  allows  the  description  of 
purely  discrete  component  behavior  in  the  same  manner  as  in  [17]. 
Section  2 describes  the  discrete  and  the  continuous  layers;  Section  3 
presents  the  interface  that  integrates  both  layers  together;  Section  4 
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presents  the  algorithms  required  to  reason  about  hybrid  models  and 
to  track  multiple  trajectories  in  both  simulation  and  diagnosis;  Sec- 
tion 5 discusses  our  research,  compares  and  references  some  related 
work. 

2 Hybrid  System  Formulation 

2.1  Hybrid  Systems  as  Transition  Systems 

The  set  of  all  components  of  the  physical  system  to  be  modeled  is 
denoted  by  Comps.  Every  component  in  that  set  is  described  by  a 
hybrid  transition  system.  The  set  of  all  variables  used  to  describe  a 
component  is  denoted  V and  is  partitioned  in  the  following  manner: 

• n = nM  U ric  U n cond  U II  d — set  of  discrete  variables  of  4 
distinct  types  (Mode,  Command,  Conditional,  Dependent), 

• E = S/  U Bo  — set  of  continuous  variables  of  2 distinct  types 
(Input,  Dependent). 

Mode  variables  II m represent  components  nominal  or  faulty  modes, 
such  as  on  or  stuck.  Command  variables  lie  are  endogeneous  and  ex- 
ogeneous  commands  modeled  as  discrete  events  to  the  system  (e.g. 
software  commands).  Continuous  input  variables  3/  are  exogeneous 
continuous  signals  to  the  system  determined  by  its  environment  (e.g. 
known  inputs  or  disturbances).  Conditional  variables  lie  on  d are  spe- 
cific discrete  variables  that  represent  conditions  on  continuous  vari- 
ables. Discrete  and  continuous  dependent  variables  are  all  other  vari- 
ables. Finally  the  set  Obs  contains  observable  variables  of  the  phys- 
ical system.  Each  observable  signal  has  an  explicit  sampling  period. 
Our  hybrid  transition  system  is  an  extension  of  the  standard  transi- 
tion system  [8]  that  adds  (qualitative  or  quantitative)  constraints  to 
the  states. 

Definition  1 (Hybrid  Transition  System  - HTS)  A Hybrid  Transi- 
tion System  HTS  is  a tuple  ( V , E,  T,  C,  Q)  with: 

• V = II  U 3 — set  of  all  variables.  VT>  E V,  the  domain  of  v 
is  D[v\,  finite  for  variables  in  II,  intervals  or  real  values  in  'K 
otherwise. 

• E — set  of  all  interpretations  over  V. 

Each  state  in  E assigns  a value  from  its  domain  to  any  variable 
veV. 

• T — finite  set  of  transition  variables. 

Each  variable  rm  in  T ranges  over  its  domain  D[rm\  of  possible 
transitions  of  the  mode  variable  m € IIm.  Each  r*„  in  D{rm\  is 
a function  rf  : E — > 2E,  associated  to  a mapping  Junction  lT>  . 

• C — set  of  (qualitative  or  quantitative)  continuous  constraints 
over  V. 

Each  constraint  c in  C at  least  depends  on  one  mode  variable  in 
IIm.  Vm  E IIm,  we  note  C[m ,]  the  set  of  constraints  associated 
to  the  variable  m. 


• 0 — set  of  initial  conditions. 

0 is  a set  of  assertions  over  V such  that  they  define  the  set  of 
initial  possible  states,  i.e.  the  set  of  states  s in  S such  that  s [=  0. 

Note  that  in  a HTS,  due  to  the  continuous  constraints  in  C,  some 
transitions  can  trigger  according  to  conditions  over  continuous  vari- 
ables. At  the  discrete/continuous  interface  level,  these  conditions 
have  a corresponding  discrete  variable  in  II cond,  which  captures 
their  truth  value.  Throughout  this  paper  we  illustrate  the  formal- 
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C[open } :x  = aQ0Ax 

C[close.d]  : x = aQc  Arc  where  Ax  = xG  — x. 
i-£  : x = aQc  Ax 
1 2 : x = aQ0Ax 


Figure  1.  room  HTS  with  unknown  mode 


thermostat  T,  with  faulty  modes  stuck-on , stuck-ojf  and  unknown,  as 
well  as  required  transitions.  This  thermostat  switches  according  to 
the  room  temperature  x (it  should  be  in  its  on  mode  when  the  tem- 
perature x <m  to  warm  up  the  room,  and  back  to  its  off  mode  when 
x > M to  cool  it  down),  x is  hence  influenced  by  the  heater  setting 
temperature  h (in  mode  on)  or  by  the  outside  temperature  xext  (in 
mode  off).  The  temperature  variation  x is  observed  through  a sensor 
with  additive  noise  ind.  Initially,  x = xext,  the  room  is  closed  and 
the  thermostat  is  on.  Variables  of  both  HTS  are: 

R.mode  Ci  rijvf  = {closed,  open,  unknown) 

R.cmd  € n c - {none,  open , close ) 

R.c  € nco„d  = ( R.x  < m,  R.x  > m A R.x  < At.  R.x  > M ) 

€ Sjj  £ [— oo,  +oo] 

R.x  € =.d  € [—00, +oo] 

R.Ax  6 So  tz  [— oo, +oo] 

R-Xnoi  £ Hi  € [—1.  1] 

R.Qc  6 [0.05,0.15] 

R.Qo  € [0.02,0.05] 

R.a  € (0.9,  1.1] 

R.Xext  = 4 

T.modetzTlM  ~ {of  f,  on,  stuck-on,  stuck-of  f,  unknown) 

T.M  = IT 

T.m  = 10 

T.h  = 20 

Obs  = {x} 


ism  and  later  on  the  diagnosis  operation  on  a simple  example:  figure 
1 shows  the  HTS  of  a room  R submitted  to  a temperature  source. 
It  has  two  nominal  modes:  open  (a  door  or  a window  is  opened), 
closed,  and  a faulty  unknown  mode.  The  room  temperature  x is  influ- 
enced by  the  temperature  of  the  source  xe  according  to  a first-order 
differential  equation  which  accounts  for  the  room  characteristics  Qc 
(closed)  and  Q0  (open).  The  actions  that  move  the  room  from  one 
mode  to  another  are  modeled  as  observed  single  discrete  commands 
cmd  - open  and  cmd  = close.  Figure  2 presents  the  model  of  a 


2.1.1  States  and  Time 

Considerations  about  time  are  central  because  both  the  discrete  and 
the  continuous  frameworks  use  time  representations  that  are  differ- 
ent. At  the  continuous  level,  time  is  explicit  in  the  equations  that 
represent  the  physical  system  behavior,  we  call  it  physical  time  9. 
Physical  time  is  discretized  according  to  the  highest  frequency  sen- 
sor, providing  the  HTS  reference  sampling  period  Ts.  x(kTa),  or 
x(  k)  for  short,  specifies  the  value  of  the  continuous  vector  of  state- 
variables  in  E at  physical  time  kTs.  We  call  abstract  time  the  time 
at  the  discrete  level.  It  is  dated  according  to  the  occurrence  of  dis- 
crete events.  At  date  f,  the  discrete  state  itt  of  a HTS  is  the  tuple 
(Mt,  Qt),  where  Mt  is  the  vector  of  instances  of  mode  variables,  and 
Qt  the  vector  of  instances  of  variables  of  n in  qualitative  constraints. 
Discrete  state-variables  are  in  II  \ Tlcond-  Abstract  time  dates  are  in- 
dexed on  physical  time,  which  informs  about  how  long  a component 
has  been  in  a given  discrete  state.  If  t = kTs,  then  we  write  the  in- 
dexed date  tk.  When  there  is  no  ambiguity  it  is  simply  denoted  by  t. 
The  hybrid  state  stk  ofa  HTS  is  the  tuple  (w  tk,x(k)). 

2.1.2  Transitions 

Transitions  describe  changes  between  modes  over  time.  The  transi- 
tion variable  associated  to  a mode  variable  m is  denoted  rm  such  that 
its  domain  is  D[rm]  = {r^t  G Tn}  U {rf,  € Tp}  U {Ttd},  with: 

• Tn  the  set  of  nominal  transitions  that  express  switches  from  one 
nominal  mode  to  another, 

• Tf  the  set  of  faulty  transitions  that  move  the  HTS  into  a faulty 
mode, 

• T%d  the  identity  transition  that  allows  a HTS  to  stay  in  its  current 

mode. 

Because  transitions  cannot  always  be  considered  as  instantaneous 
against  the  frequency  of  the  sensors,  we  introduce  delays  on  nom- 
inal transitions.  Delay  dT<  is  such  that  once  a transition  rf  is  en- 
abled it  is  triggered  after  dT,  T,,  i.e.  after  dT > physical  time  units. 


While  a transition  is  enabled  and  waiting  for  its  delay  to  expire,  it  is 
said  to  be  in  standby.  For  a matter  of  simplification,  the  delay  will  be 
referred  as  d when  there  is  no  ambiguity.  A delay  on  transition  can 
also  be  modeled  by  adding  modes  and  clocks  to  the  hybrid  transition 
system  [4],  We  do  not  use  this  representation  here  because  we  think 
that  it  does  not  enforce  the  easy  representation  of  a component  as  a 
transition  system  by  creating  modes  that  are  irrelevant  for  the  diag- 
nosis purpose.  To  model  faults,  we  define  fault  modes  of  which  we 
know  the  behavior,  such  as  stuck  .on  or  stuckj>ff,  and  a unique  mode 
unknown  that  is  rather  specific  because  it  has  no  constraints  and  cov- 
ers all  interpretations  in  E.  Modeled  faults  are  often  abrupt  faults  in 
the  sense  that  they  do  not  represent  tenuous  parameter  changes.  Thus 
fault  transitions  have  no  delay,  i.e.  their  duration  is  one  physical  time 
unit. 


Definition  2 (pre  and  post  assertions)  For  a given  transition  r'm 

and  a given  state  stk  6 E,  we  note  assertions  prefr'f)  = rrf  A 
*nPU  Cond  and  postil)  = m?'  where: 

• rn?  and  mP  are  two  instances  of  the  mode  variable  rri, 

• <^n  cucond.  *s  a l°gical  condition  over  instances  of  variables  of 
both  lie  and  IIcw- 

We  refer  to  the  guard  of  a transition  as  the  condition  statement 
4> n that  triggers  the  transition.  Only  fault  transitions  can  be 

spontaneous,  so  their  guard  can  be  always  true.  Traditionnally,  prob- 
abilities are  also  attached  to  every  nominal  and  faulty  transitions,  in 
our  example,  T is  represented  as  follows  (O  is  the  next  operator 
from  temporal  logic): 

R.r^om  '•  Rmode  = closed  A R.cmd  = open  Q R.mode  = open 
: R.mode  = open  A R.cmd  = close  0 R.mode  = closed 
R.Tj:ai[  : R.mode  = open  V R.mode  = closed  Q R.mode  = unknown 


T.t 


T.mode  ■ 


T.t 


- on  A R.x  > M 

- on  A R.x  > M 
off  A R.x  < m 

T.mode  = on 


' fail 

T-Tfail  '■  T.mode  = off 
T.t fan  : T.mode  = on  V T.mode  = off 

There  is  no  delay  when  the  thermostat  (room)  switches  between  on 
{open)  and  off  ( closed ) modes. 


0 T.mode  = on 
0 T.mode  = off 
O T.mode  = stuck.of  f 
O T.mode  = stuck-on 
0 T.mode  = stuck. on 
0 T.mode  = stuck -o  f f 
O T.mode  = unknown 


2.2  Moving  between  modes 

When  a transition  triggers,  the  component  switches  from  one  mode 
to  another,  the  corresponding  HTS  needs  to  transfer  its  continuous 
state  vector  x as  well.  For  that  reason  each  transition  r*„  is  associated 
with  a mapping  function  lTi^  : E — > E over  the  dependent  variables 
in  V . It  initializes  the  value  of  a subset  of  variables  in  the  hybrid 
state  resulting  from  applying  r'f  to  stk  where  l is  the  abstract  time 
index.  Other  variables  in  stk  keep  their  previous  value.  The  iden- 
tity mapping  function  is  denoted  P . Triggering  a transition  is  a two 
steps  operation  [1],  First,  mode  change  is  performed  by  applying  the 
transition  r‘n  to  the  current  hybrid  state  and  moving  to  the  resulting 

mode  after  its  delay  has  expired  (transition  relation  -3): 

Tm  e T,  (, stk , s k+d)  e E2,  stk  |=  prefrff) 

‘ H-l [ 

Trn 

Sfk  — > S.k+d 

l 1 l + l 


Second,  initialization  is  performed  by  making  use  of  the  mapping 
function,  and  physical  time  goes  on  (time-step  relation  —>): 

(? rtl+1,x(k  + d))  = l i (stk ) 

g ” 1 (2) 

(7rfl+i , x(k  + d ))  A (7rt,+1 , :r(60) 

where  x(8)  is  the  continuous  state  associated  to  the  discrete  state 
over  the  continuous  time  0.  In  the  systems  we  are  interested 
in,  most  of  the  discontinuities  are  driven  by  controller  actions  and 
preserve  the  state  variables  continuity.  In  our  example,  the  tempera- 
ture is  obviously  continuous  when  the  thermostat  switches  from  on 
to  off  and  we  use  the  temperature  T.M  at  this  point  to  compute 
x = aQc(xe  — T.M).  However  it  has  been  shown  in  [10]  that  in 
specific  cases,  retrieving  a mapping  function  from  the  models  of  both 
considered  modes  is  far  from  trivial  and  requires  deep  understanding 
of  the  physics  of  the  phenomena  abstracted  in  the  discontinuity. 

2.3  Component  modes  behavior 

We  described  how  transitions  express  component’s  dynamics  be- 
tween modes.  At  this  point  we  want  to  represent  each  intra-mode 
behavior  with  two  goals  in  mind:  on  the  one  hand  the  representation 
must  encode  the  available  qualitative  or  quantitative  knowledge;  on 
the  other  hand  it  must  be  suitable  for  efficient  reasoning.  For  purely 
discrete  components,  usually  software  drivers  as  well  as  complex 
electronic  devices,  the  behavioral  model  is  given  by  a set  of  boolean 
constraints  over  lie  U II d that  are  associated  to  each  mode  variable 
value  in  the  same  manner  as  in  [17].  For  continuous  components,  the 
continuous  behavior  is  expressed  by  discrete-time  continuous  con- 
straints over  S.  Each  constraint  is  attached  to  a mode  of  the  transition 
system.  The  discrete-time  continuous  constraints  are  of  the  following 
standard  form: 

f x(k  + l)  = Ax(k)  + Y^j=0  r BMk-j)  m 
\ y(k  + 1)  = Cx(k  + 1)  ' ’ ( ) 

where  x(k ),  y(k),  and  u(k)  represent  the  continuous  state  vector  of 
dimension  n,  ouput  (observed)  variables  vector  of  dimension  p and 
input  (control)  variables  of  dimension  q at  time  kTs,  respectively;  A, 
Bj  and  C are  matrices  of  appropriate  dimensions.  To  provide  a suit- 
able framework  for  reasoning,  continuous  constraints  are  encoded  in 
a specific  two  levels  formalism  [15]  which  includes  a causal  model 
and  an  analytical  constraint  level.  The  causal  model  is  obtained  from 
equation  (3)  by  expressing  it  as  a set  of  causal  influences  among 
the  (state,  input  or  output)  variables.  Influences  may  be  of  different 
types:  dynamic,  integral,  static  and  constant.  The  following  definition 
expresses  first  and  second  order  dynamic  influences: 

Definition  3 (Dynamic  influence)  A dynamic  influence  iy  is  a tu- 
ple (fiflj,  K,  Ta,  Tr,  cond)  for  first  order  differential  relations  and 
(&>  iji  K,  Td,  C> w,  cond)  for  second  order  relations  with  : 

• 6 E and  € E are  two  continuous  variables  such  that  £« 
influences  (y, 

• K is  the  parameter  gain,  representing  the  static  gain  of  the  influ- 
ence, 

• Td  is  the  parameter  delay  representing  the  time  needed  by  £ j to 
react  to  t, ;; , 

• Tr.  is  the  parameter  response  time  representing  the  time  needed  by 
flj  to  get  to  a new  equilibrium  state  after  having  been  perturbed, 

• C w the  damping  ratio  of  the  system, 

• w is  the  undamped  natural  frequency  of  the  system. 


• cond  is  the  parameter  condition  which  specifies  the  logical  con- 
dition under  which  the  influence  is  active,  cond  ranges  over  ele- 
ments ofV. 

The  underlying  operational  model  of  dynamic  influences  is  provided 
by  the  following  equation: 

&(fc  + l)=  ^ aPii (k-p)+  ^ bqfi(k  + l-q)  (4) 

p=0,...,n—  1 q=0,...,m 

where  and  are  continuous  variables,  n is  the  influence  order 
and  m < n (causal  link).  Usually  an  equation  is  modeled  by  a set  of 
influences.  When  necessary,  uncertainties  can  be  taken  into  account 
in  the  influence  parameters  and  as  additive  disturbances.  The  first  are 
represented  by  considering  that  parameters  av  and  bq  have  time  in- 
dependent bounded  values,  i.e.  they  are  given  an  interval  value.  The 
latter  can  be  introduced  as  a bounded  value  constant  influence  act- 
ing on  . From  the  superposition  theorem  that  applies  to  the  linear 
case,  the  computation  of  the  updated  value  of  variable  6 H in 
an  equation  eq  consists  in  processing  the  sum  of  the  activated  influ- 
ences from  eq  having  exerted  on  £,  during  the  last  time- interval.  The 
prediction  update  of  all  the  state  and  observed  variables  x(k)  and 
y(k)  from  the  knowledge  of  control  variables  u (k)  and  influence 
activation  conditions  is  performed  along  the  causal  model  structure. 
Our  representation  of  uncertainties  leads  to  the  prediction  of  contin- 
uous variable  trajectories  in  the  form  of  bounded  envelopes.  In  other 
words,  the  system  state  x(k)  at  every  time  instant  t = kTs  is  pro- 
vided in  the  form  of  a rectangle  of  dimension  n. 

Definition  4 (Causal  system  description  - CD)  The  causal  system 
description  associated  to  the  set  of  continuous  constraints  of a HTS 
is  a directed  graph  G = (E,  I)  where  I is  a set  of  edges  supporting 
the  influences  among  variables  in  S,  with  their  associated  conditions 
and  delays. 

The  numerical  intervals  obtained  from  equation  (4)  are  refined  at  the 
analytical  model  level  with  global  constraints  by  performing  a toler- 
ance propagation  algorithm  [6]  on  the  set  of  variables.  Back  to  the 
example,  the  feasible  continuous  states  of  E are  specified  by  the  in- 
fluences in  each  HTS: 

R.ii  ( static ) : if  (R.mode  = closed)  then  R.Ax  9 + ” R.x 

R.i 2 ( static ) : if  (R.mode  = open ) then  R.  Ax  9 R.x 

R.is  ( integral ) : R.x  9 — R.x 

R.i 4 ( static ) : R.x  — ► R. Ax 

T.i  i ( constant ) : if  ( T.mode  = on  V T.mode  = stuckjon ) then 

T.h  — ♦ R.Ax 

T.i  2 ( constant ) : if  (T.mode  = off  V T.mode  = stuck  jo  f f ) then 

R.x ext  — > R.Ax 
T.i%  ( constant ) : T.xnoi  > R.x 

Influences  without  explicit  conditions  are  valid  in  all  modes  except 
in  the  unknown  mode.  Figure  3 presents  the  nominal  CD  for  the 
room  and  the  thermostat. 

2.4  Hybrid  Component  System 

Once  components  have  been  modeled  as  HTS,  constituting  a 
generic  reusable  database  of  models,  they  need  to  be  assembled  in  a 
Hybrid  Component  System  to  model  the  entire  physical  plant.  Com- 
ponents are  hence  instantiated.  Within  the  whole  plant  model,  com- 
ponents are  concurrent,  i.e.  able  to  evolve  independently  which  al- 
lows us  to  reason  on  subparts  of  the  model. 


Figure  3.  Causal  nominal  system  description  of  the  thermostat  and  room 
example 

Definition  5 (Hybrid  Component  System  - HCS)  A Hybrid  Com- 
ponent System  HCS  is  a tuple  (Comps,  V,  E,  T,  C,  0)  with 
Comps  being  a set  of  n components  modeled  as  concurrent  hybrid 

transition  systems  Hi  = (V),  Ei,  T),  Ci,  0.;),  =1 ...  n Vi\  = V, 

E C 0.  E i,  T = U . Ti,  C = Ui  Ci,  0 = U . 0i. 

We  track  the  evolution  of  a HCS  over  a temporal  window  in  the  form 
of  a trajectory  as  a succession  of  states.  At  each  time-step,  constraints 
and  commands  first  synchronize  on  shared  variables  in  TId,  II c and 
E (the  room  and  the  thermostat  share  As).  Shared  variables  serve 
as  time-dated  communication  channels  between  automata.  The  au- 
tomata must  nevertheless  synchronize  between  states.  The  synchro- 
nization uses  transitions  and  is  such  that  given  components  of  the 
HCS: 

• HTS  that  received  a command  synchronize  on  the  corresponding 
nominal  transition, 

• non  commanded  HTS  synchronize  on  the  identity  transition  rld . 

When  synchronized,  HTS  instances  are  introduced  into  the  trajec- 
tory whereas  other  HTS  are  not  copied  at  each  time-step.  Intuitively 
we  want  to  only  introduce  the  minimal  subset  of  the  HTS  necessary 
for  tracking  and  diagnosis  purposes.  In  [11]  and  for  discrete-only 
models,  this  subset  is  computed  using  a pre-compilation  of  prime 
implicants  of  mode  variables.  In  our  implementation,  transitions  syn- 
chronize a posteriori,  and  only  when  needed  by  the  reasoner  to  oper- 
ate. This  saves  big  amounts  of  memory  as  when  tracking  a physical 
system  in  its  nominal  long-term  state,  very  few  components  need  to 
be  reintroduced. 

The  concurrency  process  is  complexified  by  the  introduction  of 
delays  on  transitions.  Figure  4 presents  an  example  of  the  synchro- 
nization of  four  concurrent  HTS,  Hi  to  Ha.  Four  transitions  are 
enabled  on  shared  variables  at  time-step  tf  and  synchronize  over  the 
three  next  time-steps  with  different  delays,  except  for  dT2  and  dTi 
that  are  equal.  Hi  and  H2,  as  well  as  ff.-j  and  H2  have  constraints  that 
share  variables.  Due  to  different  commands,  the  concurrence  makes 
the  four  HTS  change  mode  at  time  tf  whereas  other  HTS  in  the 
model  stay  inactive  (they  are  not  represented  on  the  figure).  Then  the 
synchronization  effort  takes  into  account  delays  of  triggered  transi- 
tions as  well  as  the  links  between  HTS  through  shared  variables: 

• H2  and  Ha  have  the  same  delay  and  thus  participate  a same  hybrid 
state  at  time-step  t^ff2 , 

• Hi  and  H2  synchronize  at  . This  is  done  with  the  identity 

transition  on  H2 . 

• Hi  (or  H2)  and  Ha  don’t  synchronize  at  tl+2  Tl  because  they 
don’t  share  any  variables, 

• Hi  and  H2  share  variables  but  don't  synchronize  at  tl  ff2  be- 
cause ri  is  already  in  standby. 


The  last  remark  is  of  importance  because  it  relies  on  the  hypothesis 
that  we  cannot  track  or  diagnose  a physical  component  while  it  is 
switching  from  one  mode  to  another,  i.e.  when  one  of  its  transitions 
is  in  standby,  as  the  required  transient  models  are  often  unknown  or 
too  complex.  The  consequence  is  that  components  only  synchronize 
in  their  non-standby  states. 


H4  : 


H2  : 


Hi 


time 


Figure  4.  synchronization  over  3 states  of  four  HTS. 


3 Continuous/Discrete  Interface 

3.1  Configurations 

Depending  on  the  mode  at  a given  time,  a HCS  has  its  hybrid  state 
that  ranges  over  several  continuous  regions.  These  regions  are  known 
to  be  difficult  to  determine  and  compute,  if  not  undecidable.  We  pro- 
pose an  on-line  mechanism  to  keep  track  of  the  state-space  partition 
by  sheltering  every  continuous  functional  piece  with  a conjunction 
of  logical  conditions  we  denote  as  a configuration. 

Definition  6 ( HCS  configuration)  A configuration  for  a HCS  at 

time-step  tk  is  a logical  conjunction  5tk  = (f\i  m‘)  A (/\;  n 3Cond) 
where  the  m'  are  instanciations  of  component  modes  in  II  a/  and  the 
flew  are  variables  ofTlcond. 

The  configurations  are  automatically  drawn  from  conditions  on  both 
transition  guards  and  influences  that  define  structural  changes  in  the 
model.  A configuration  can  be  attached  to  one  or  more  modes  in 
IIm-  In  our  example,  the  continuous  state  is  easily  partitioned  by  the 
thermostat’s  transitions  into  three  regions  determined  by  the  three 
conditions  on  variable  x,  defining  27  configurations: 

Ci  : R.mode  = closed  A T.mode  = on  A R.x  < m 

C2  : R.mode  — closed  A T.mode  = on  A ( R.x  > m A R.x  < M ) 

C3  : R.mode  = closed  A T.mode  = off  A ( R.x  > m A R.x  < M ) 

C4  : R.mode  = closed  A T.mode  = off  A R.x  > M 


Whatever  the  complexity  of  the  conditions  defining  the  regions  of 
the  physical  system,  it  is  easy  to  logically  express  any  condition  as  a 
boolean  variable  of  Ilcond,  whose  1/0  corresponds  to  the  condition 
and  its  negation.  This  however  leads  to  a number  of  partitions  that 
is  not  optimal  relatively  to  the  exact  number  of  state-space  regions 
in  which  the  physical  system  evolves.  Note  that  the  configuration 
associated  to  the  unknown  mode  encompasses  the  overall  state-space. 

3.2  Causal  ordering  for  static  equations 

When  switching  from  one  mode  to  another,  some  equations  and  vari- 
ables are  added  or  retracted  according  to  the  new  configuration.  Con- 
sequently, due  to  the  possible  presence  of  static  continuous  equations 


in  the  model,  a proper  causal  ordering  of  variables  is  to  be  found 
when  entering  the  new  mode.  A brute  force  approach  would  con- 
sist in  generating  a new  causal  structure  for  every  different  mode. 
The  problem  of  performing  an  on-line  incremental  generation  of  the 
causal  structure  has  been  previously  addressed  [16]  but  it  is  solved 
here  in  a slightly  different  manner.  This  is  done  by  first  casting  the 
problem  into  a boolean  constraint  satisfaction  problem:  every  con- 
tinuous equation  and  variable  in  the  HCS  is  associated  to  boolean 
variables  in  II  whose  truth  values  state  if  the  variables  or  equations 
are  active  or  not.  Rules  over  the  boolean  variables  are  automatically 
built  to  represent  the  conditions  of  these  activations  and  form  a logi- 
cal representation  of  the  causal-ordering  problem. 

3.3  Overview 

The  previous  configuration  and  causal  ordering  problems  are  solved 
on-line  by  using  a truth  maintenance  system  (TMS)  to  reason  on  the 
corresponding  boolean  constraint  satisfaction  problems.  We  use  the 
context  switching  algorithms  of  [ 1 8]  because  we  are  not  interested 
in  generating  all  configurations  of  the  physical  system  but  to  switch 
from  one  to  another  as  fast  as  possible.  The  HCS  reacts  to  events, 


Figure  5.  3-layers  interactions 


i.e.  observations  from  sensors  as  well  as  commands,  and  propagates 
them  to  the  model’s  discrete  and  continuous  levels  through  the  logi- 
cal interface  and  the  way  back.  Figure  5 sums  up  these  interactions. 
The  C/D  1,  made  of  the  variables  in  Ilcond  associated  to  influence 
conditions  and  transition  guards,  as  well  as  the  causal  ordering  log- 
ical model,  ensures  the  logical  consistency  of  the  changes  triggered 
by  the  flow  of  events. 

4 Simulation  and  Diagnosis  of  a Hybrid 
Component  System 

4.1  Simulation 

A HCS  simulation  is  a run  of  concurrent  hybrid  transition  systems 
that  generates  possible  nominal  trajectories  of  the  HCS  according 
to  issued  commands  and  inputs  over  the  time.  The  uncertainty  on 
the  continuous  constraint  parameters  determines  the  precision  of  the 
computed  envelopes  that  enclose  the  observed  behavior  of  the  phys- 
ical system  at  each  time  step. 

Sometimes  the  truth  value  of  a condition  in  a configuration  may 
be  undetermined  when  checked  against  a rectangular  enclosing  of 
the  continuous  state-variables.  The  problem  arises  from  the  fact  that 
some  variables  over  which  configurations  rely  are  not  measured. 
When  the  computed  bounds  of  such  a continuous  variable  f span 
over  more  than  one  configuration  region  relying  on  that  variable,  we 


say  that  the  current  configuration  is  splitting  the  continuous  state  on 
variable  Figure  6 shows  a configuration  split  for  the  thermostat 

temporal 


Figure  6.  Transition  guard  split 


example  when  crossing  x = M.  The  current  configuration  splits  on 
regions  xl  and  x2  and  the  two  possible  trajectories  are  tracked  simul- 
taneously. In  applications,  this  situation  happens  rather  frequently 
and  multiple  consecutive  splits  of  a guard  on  the  same  variable  can 
occur  because  sensor  frequencies  are  usually  beneath  the  tempo- 
ral uncertainty  induced  by  the  envelopes.  We  first  want  to  split  the 
continuous  state  into  logical  branches  then  refine  consequently  the 
bounds  on  all  continuous  variables  in  every  explored  branch.  For  a 
given  continuous  variable  the  logical  split  of  a configuration  Stk 
returns  the  set  of  possible  configurations  to  be  tracked: 

[*.*](&)  = V A (a  He-™*)  ) (5) 

where  Tl3Cond  are  variables  of  Hcond  relying  on  £*  and  Tlcond 
other  conditions  in  Stk.  Relation  (5)  is  used  to  compute  the  splitted 
areas  because  it  is  much  faster  than  exploring  the  overall  continu- 
ous state  space.  The  following  algorithm  is  applied  on  every  tracked 
trajectory: 

1 . The  configuration  5tk  is  checked  against  the  rectangular  region 
defined  by  variables’  predicted  envelopes  to  find  a variable  & over 
which  it  is  splitting  the  state-space, 

2.  The  state-space  is  logically  splitted  with  relation  (5).  For  each  con- 
figuration SJ{k  in  [d'tk ](£;),  its  corresponding  continuous  region  is 
denoted  x|.  (k)  and  its  corresponding  discrete  state  jrjk , $4 . 

3.  Envelopes  over  variables  in  E are  refined  in  every  region  x^.(k) 
by  filtering  them  on  the  constraints  defined  by  the  conditions  in 
the  configuration  [6]. 

4.  (Tjt  >u  ! xii  (k))  constitute  new  hybrid  states  enclosed  in  new  tra- 
jectories to  be  tracked. 

The  three  preceding  steps  are  applied  for  remaining  variables  on  the 
growing  set  of  generated  trajectories.  Finally  the  resulting  set  of  com- 
puted hybrid  states  is: 

[■»**] = (6) 

*,3 

In  our  example,  the  thermostat’s  configurations  only  split  on  the 
temperature  x.  On  figure  6,  until  time-step  tf,  the  configuration  of 
the  HCS  is 

C2  : R.mode  = closed  A T.mode  = on  A R.x  > m A R.x  < M 


At  time-step  tf , due  to  the  crossing  of  x = M,  the  current  configura- 
tion is  splitted  on  x.  A new  partial  hybrid  state  comes  from  equation 
(5): 

R.mode  = closed  A T.m.ode  = on.  A R.x  > M 

Then  bounds  of  variable  x are  refined  in  each  configuration  by  fil- 
tering the  values  with  respective  constraints  R.x  > m A R.x  < M 
and  R.x  > M.  As  transition  T.  T2orn  turns  enabled  with  the  second 
configuration,  the  configuration  is  instantaneously  (T.r2om  has  no 
delay)  updated  to: 

Ca  : R.mode  = closed  A T.mode  = off  A R.x  > M (7) 
From  that  point  the  system  tracks  two  distinct  trajectories. 

4.2  Fault  Detection 

The  detection  algorithm  then  uses  the  above  prediction  of  the  endo- 
geneous  continuous  variable  values  to  obtain  robust  decisions  about 
the  existence  of  faults,  based  on  adaptive  thresholds  provided  by  the 
envelopes’  upper  and  lower  bounds.  This  is  performed  by  comparing 
the  predicted  and  observed  values  of  variables  across  time.  The  adap- 
tive thresholds  principle  fairly  reduces  the  possibility  of  false  alarms 
when  tracking  the  system.  Flowever,  to  achieve  better  robustness,  we 
usually  mark  a variable  as  mibehaving  after  it  has  been  outside  of  its 
bounds  for  at  least  nmisb  physical  time-steps.  After  that  delay,  the 
diagnosis  operation  is  triggered. 

For  dynamic  influences,  the  algorithm  sensitivity  relies  on  a mixed 
strategy  which  combines  an  observer  type  strategy  (closed-loop 
mode,  i.e.  the  measure  of  a variable  y at  time  t is  used  to  elabo- 
rate the  prediction  of  y at  time  t + 1)  with  a pure  simulation  strategy 
(open-loop  mode,  i.e.  the  prediction  of  y at  time  t+1  is  obtained  from 
the  prediction  of  y at  time  t)  to  determine  the  thresholds  and  further 
assess  variable  states.  We  call  this  strategy  a semi-closed  loop  (SCL) 
strategy  [13].  The  mode  control  (open-loop  or  closed-loop)  depends 
on  whether  the  observed  value  of  a variable  y is  in  the  predicted  en- 
velope (normal  situation)  or  out  of  it  (alarming  situation).  As  soon 
as  the  variable  becomes  alarming,  running  on  a closed-loop  mode 
might  drive  the  prediction  to  follow  the  fault,  turning  the  detection 
procedure  insensitive  to  the  fault.  The  prediction  temporal  window  is 
hence  scaled  up  by  switching  to  the  open-loop  mode.  Note  that  the 
fault  detection  mechanism  is  very  efficient  at  ruling  out  wrong  trajec- 
tories issued  from  multiple  successive  splits  on  the  same  boundary 
constraint. 

Figure  7 shows  three  scenarios  with  faults  where  detection  is  ap- 
plied. On  the  first  scenario  the  thermostat  fails  to  switch  at  time-step 
63  and  sticks  to  its  on  mode.  In  the  second  scenario  the  constant  T.h 
is  degraded  from  time-step  46  to  a lower  value,  so  the  heater  is  slower 
to  warm  the  room.  Scenario  three  presents  a fault  characterized  by  an 
abrupt  structural  change  in  the  thermostat  model.  For  all  scenarios, 

nmisb  — 1 - 

4.3  Diagnosis 

When  a fault  is  detected,  a diagnosis  comes  back  to  find  the  cur- 
rent configuration  of  the  HCS  according  to  observations,  inputs  and 
commands.  This  must  be  performed  over  a finite  temporal  window 
[11],  but  because  of  the  fault  detection  at  a continuous  level  the  prob- 
lem of  losing  solutions  is  strongly  reduced.  The  temporal  window  is 
usually  set  up  to  the  physical  time  that  corresponds  to  the  longest 
chain  of  non-repeated  transitions.  In  our  example  20  physical  time- 
steps  cover  an  on-off  complete  sequence. 


(a)  Scenario  1,  x:  After  detection  and  diagnosis,  a few  more  time-  (b)  Scenario  1,  x:  the  fault  is  detected  at  time-step  68. 

steps  are  necessary  for  the  prediction  to  catch  up  with  the  physical 

system.  This  comes  from  the  fact  that  the  estimation  of  the  time 

of  the  fault  is  not  accurate  enough:  because  of  the  time  uncertainty 

due  to  the  envelopes,  the  estimation  is  a few  time-steps  late. 


(c)  Scenario  2,  x\  After  the  fault  is  diagnosed,  the  blind  state- 
tracking method  uses  the  nominal  behavior  of  the  thermostat  and 
predicts  all  possible  switches  at  each  time-step:  the  very  wide  en- 
velope shows  that  it  is  not  sure  if  the  thermostat  is  on  or  off. 


(d)  Scenario  2,  x:  The  fault  is  not  so  abrupt  as  to  be  detected  in- 
stantaneously. Measures  go  in  the  predicted  bounds  again  at  time- 
step  69.  This  is  due  to  the  fact  that  when  using  the  blind  state- 
tracking method,  the  thermostat’s  controller  model  is  still  switch- 
ing on  valid  thresholds. 


(e)  Scenario  3,  x : The  thermostat  switches  on  valid  thresholds  and 
the  blind  state-tracking  method  keeps  a relatively  good  tracking  of 
the  temperature  after  the  fault  occured.  This  is  due  to  the  fact  that 
the  physical  model  of  the  room  is  still  valid. 


(f)  Scenario  3,  x:  After  a thermostat’s  structure  change,  the  heater 
setting  temperature  T.h  is  oscillating.  When  turned  off,  T keeps 
its  nominal  behavior. 


Figure  7.  Three  fault  scenarios 


Definition  7 ( HCS  Diagnosis)  A diagnosis  diag(t)  over  m time- 

steps  for  a HCS  is  such  that  diag(t)  = {5t}t=i,~,m  with  the  con- 
sitency  of: 


Solving  relation  (8)  is  a three  steps  operation.  First,  existing  conflicts 
(a  set  of  influences  which  cannot  be  unfaulty  altogether)  are  exhib- 
ited from  the  causal  system  description  (CD)  of  the  HCS,  each  in- 
fluence stamped  with  a temporal  label  and  activation  condition.  They 
are  then  turned  into  diagnosis  candidates  by  a failure-time  oriented 
enhanced  version  of  the  hitting  set  algorithm  [14],  Temporal  infor- 
mation is  drawn  from  maximizing  on  each  components  the  delays  of 
the  influences  downstream  the  faulty  variables  in  CD. 

Second,  at  the  configurations  level,  the  TMS  negates  the  activation 
conditions  of  the  conflicting  influences  and  fastly  iterates  through  the 
logical  remaining  configurations  to  reinsure  the  consistency.  Finally, 
every  found  configuration  is  checked  against  the  past  observations 
over  the  temporal  window  before  being  approved  as  in  [11]  except 
that  candidate  generation  and  consistency  checks  are  interleaved  and 
run  from  present  time  back  to  the  beginning  of  the  temporal  window. 
Configuration  solutions  to  the  diagnosis  problem  contain  a mode  in- 
stantiation of  every  necessary  component  in  the  HTS  explaining  the 
observations.  Note  that  on  figure  7,  for  all  three  scenarios,  the  diag- 
nosis operation  is  performed  in  less  than  0.1  seconds  on  a Pentium  II 
300  Mhz,  which  is  beneath  the  measures’  frequency,  so  the  detection 
time-step  is  equal  to  the  diagnosis  time-step. 

4.3.1  Diagnosis  example  with  a fault  mode 

When  applied  to  the  first  scenario,  the  diagnosis  starts  as  soon 
as  x goes  out  of  its  bounds  for  all  currently  tracked  trajecto- 
ries: iterating  through  the  system  nominal  CD  from  figure  3,  at 
timestep  68  the  influences  in  conflict  are  F = {TA3,  T.i 2,  R.ii, 
R.i.i,  R.ii}.  Relatively  to  the  current  configuration  (7)  it  is  equiv- 
alent to  add  the  constraints  Fo  = {\/ mi=D\T  mode]  T.mode  = 
m2,  R.mode  = closed,  T.mode  = off  V T.mode  = 
stuck.off,  VmigDjK  mode]  R-m.ode  = mj } which  are  activation 
conditions  on  the  influences  in  conflict.  As  R.ii  has  a delay  of  1,  the 
elements  of  the  last  conflict  are  stamped  with  the  current  physical 
time  minus  1.  Other  conflicts  elements  are  stamped  with  the  current 
physical  time. 

The  TMS  then  seeks  for  consistency  on  both  the  configurations 
and  the  transition  model  starting  from  the  current  configuration  by 
inserting  the  negation  of  the  elements  in  Fc:  F~,c  = {T.mode  = 
unknown,  R.mode  = open  V R.mode  = unknown,  T.mode  = 
on  V T.mode  = stuck jon  V T.mode  = unknown,  R.mode  = 
unknown}  and  returns  the  following  possible  configurations  ranked 
according  to  the  probabilities  attached  to  transitions  and  to  the  num- 
ber of  faults  leading  to  them: 

1 : ( R.mode  = closed ) A ( T.mode  = stuck-on)  A ( R.x  > M) 

2 a : ( R.mode  = closed ) A ( T.mode  = unknown ) A ( R.x  > M) 

2b  : ( R.mode  = unknown)  A ( T.mode  = stuck-on)  A ( R.x  > M) 

3 : ( R.mode  = unknown)  A ( T.mode  = unknown)  A ( R.x  > M ) 

Other  configurations  with  the  thermostat  in  modes  on,  stuckjoff,  or 
the  room  in  mode  open  are  ruled  out  during  the  search  process  be- 
cause there  are  no  transitions  or  past  observations  and  commands 
consistent  with  these  configurations.  Diagnosis  1 fits  with  the  fault 
in  the  first  scenario  (thermostat  took  transition  r|ail).  The  state  vec- 
tor is  reinitialized  according  to  the  mapping  function  of  rjail  (ltd) 
before  the  tracking  continues. 


4.3.2  Diagnosis  example  with  the  unknown  mode 

Scenarios  2 and  3 primarily  lead  to  diagnosis  2 a where  the  thermo- 
stat is  in  the  unknown  mode.  This  mode  is  useful  at  the  discrete  level 
because  it  assures  that  there  is  always  a solution  to  the  diagnosis 
problem5 . At  the  continuous  level  however,  it  has  no  model,  so  it  is 
not  possible  to  track  a HTS  in  that  mode.  Isolating  the  unknown 
automata  so  as  to  continue  the  prediction  of  the  behavior  of  others 
HTS  in  the  model  often  leads  to  tracking  based  on  a wrong  model: 
in  scenario  2,  once  the  mode  of  T has  been  diagnosed  to  be  unknown, 
influences  referring  to  T are  inactive  which  is  equivalent  to  predict 
R! s behavior  with  T.h  = 0.  Our  current  solution  to  that  problem  is  to 
use  a dedicated  blind  state-tracking  method  that  is  applicable  thanks 
to  the  semi-closed  loop  fault  detection  strategy  described  in  subsec- 
tion 4.2.  When  a component  is  found  to  be  in  its  unknown  mode,  the 
nominal  model  of  the  component  is  used  instead.  The  detection  mod- 
ule runs  on  open-loop  prediction  mode  until  the  measures  fall  into 
the  envelopes  again.  This  is  guaranteed  to  occur  because  the  open- 
loop  predicted  envelopes  widen  with  time  (uncertainty  propagation 
of  interval  models).  Triggered  by  this  event,  the  detection  module 
then  switches  to  closed-loop  prediction  mode  and  is  able  to  track  the 
system  until  the  measures  get  out  of  their  bounds  again,  and  so  on. 
This  is  the  method  applied  on  scenarios  2 and  3 on  figure  7.  FIow- 
ever  in  scenario  2,  an  improved  solution  could  be  to  use  parameter 
estimation  techniques  as  proposed  in  [9]  because  the  structure  of  the 
model  is  still  valid.  But  drawbacks  are  the  additional  computational 
cost  and  the  fact  this  would  leave  the  system  untracked  for  a period 
of  time  (proper  parameter  estimation  requires  to  wait  for  properly 
excited  data).  More  research  is  needed  to  integrate  existing  parame- 
ter estimation  and  model  fitting  techniques  into  our  framework.  Also 
note  that  such  faults  generally  result  from  the  natural  degradation  of 
the  monitored  physical  system  and  could  be  taken  into  account  in 
causal  models  [12]. 

5 Summary,  Discussion  and  Related  Work 

In  this  paper  we  extend  previous  work  on  diagnosis  in  the  AI  com- 
munity by  presenting  a formalism  that  merges  concurrent  automata 
with  continuous  dynamic  system  models  and  reasons  about  its  con- 
figurations using  logical  tools.  The  problem  of  reasoning  about  and 
diagnosing  complex  physical  plants  without  computing  their  contin- 
uous reachable  state-space  is  addressed.  The  approach  integrates  nu- 
merous techniques  from  different  fields  into  a runnable  standalone 
application,  which  is  able  to  deal  with  real-world  problems  such  as 
satellite  state-tracking  [3],  The  modeling,  simulation  and  diagnosis 
tools  are  implemented,  including  the  engine  that  splits  the  configu- 
rations. The  program  generates  a C++  runtime  that  is  intended  to  be 
demonstrated  on  an  autonomous  spacecraft  test  bench  at  CNES. 

Other  formalisms  for  building  comprehensive  and  tracktable  hy- 
brid systems  include  [10]  and  [4],  But  none  of  these  approaches  pro- 
vide an  intuitive  component-based  framework  allowing  engineers  to 
build  reusable  models  of  equipments.  Moreover  the  models  often  in- 
clude numerous  functional  modes  that  are  irrelevant  to  the  diagnosis 
task.  For  instance  [4]  introduces  additional  modes  to  deal  with  de- 
layed transitions,  and  [10]  rather  focuses  on  the  expression  of  the 
approximations  able  to  produce  sound  hybrid  models  of  complex 
physical  systems.  Besides,  it  examines  types  of  discontinuities  that 
are  rarely  encountered  in  controlled  systems.  In  such  systems,  most 

5 Note  that  the  unknown  mode  is  also  a dead-end  since  no  nominal  transition 
can  lead  out  of  this  mode. 


of  the  discontinuities  are  driven  by  controller  actions  and  preserve 
state  variables  continuity. 

Our  work  takes  numerous  ideas  from  the  discrete-only  work  at  the 
basis  of  Livingstone  [17,  1 1]  and  adds  and  links  continuous  knowl- 
edge to  it.  The  difficult  problem  of  the  temporal  window  that  required 
aggregating  in  a history  all  past  states  in  every  tracked  trajectory 
is  now  strongly  reduced  as  it  is  less  likely  that  a wrong  trajectory 
is  tracked  without  detecting  anomalies  at  the  continuous  level.  [9] 
introduced  a diagnosis-dedicated  hybrid  formalism  relying  on  error 
bounds  for  the  detection  parts,  but  without  concurrence  nor  transi- 
tions triggered  autonomously  from  the  continuous  level;  it  uses  prob- 
abilities, parameter  estimation  as  well  as  data  fitting  to  refine  the  di- 
agnosis. [20]  unifies  traditional  continuous  state  observers  with  hid- 
den Markov  models  belief  update  in  order  to  track  hybrid  systems 
with  noise  but  do  not  include  concurrent  models  nor  any  mapping 
function  discussion.  The  approach  is  interesting  because  it  makes 
extensive  use  of  probabilities  where  we  chose  to  rely  on  bounded 
uncertainties  (intervals)  at  the  continuous  level  and  on  probabilities 
at  the  discrete  level.  In  fact  these  are  different  uncertainties  as  the 
uncertainty  is  uniformly  distributed  in  the  case  of  intervals  whereas 
[20]  relies  on  normal  laws.  In  our  point  of  view  using  probabilities 
at  the  discrete  levels  allows  to  prune  an  otherwise  prohibitive  search, 
but  intervals  offer  a more  compact  representation  of  uncertainties  on 
continuous  variables.  However,  the  point  would  need  more  discus- 
sion and  research.  Similar  approaches  also  include  [21]  that  com- 
bines a Petri  net  and  signal  analysis  to  estimate  the  discrete  modes 
and  overcome  an  exponential  cost  in  the  number  of  sensors,  but  lacks 
an  efficient  diagnosis  engine;  and  [7]  that  uses  a dedicated  bayesian 
network  as  well  as  a method  of  smoothing  that  helps  successfully  di- 
agnose faults  with  a very  low  belief  state.  Note  that  the  model  check- 
ing community  has  recently  investigated  the  use  of  interval-based 
numerical  models  [5], 

An  advantage  of  our  approach  is  that  any  type  conditions  as- 
sociated to  transitions  and  influences  (e.g.  continuous  functions  as 
guards)  can  be  modeled  and  tracked  without  being  directly  observed. 
Finally  on-line  performances  can  be  enhanced  as  the  formalism  al- 
lows the  logical  model  to  be  pre-compiled  before  use  by  generating 
prime-implicants  on  transition  guards  [19]  and  influence  conditions. 
However  it  still  happens  that  trajectories  cannot  be  discriminated  due 
to  too  much  imprecision  on  parameters  that  leads  to  overlapping  en- 
velopes. A solution  to  this  problem  has  been  to  merge  such  envelopes 
and  corresponding  trajectories.  Another  remark  concerns  the  splits 
that  occur  and  are  not  linked  to  any  real  mode  or  structure  changes 
in  the  model:  when  starting  the  thermostat  and  room  models  with 
external  temperature  xext  < m,  a split  occurs  when  first  crossing 
at  x = m.  These  splits  however  are  sound  and  refine  the  bounds 
on  continuous  variables  as  they  allow  the  system  to  reduce  temporal 
uncertainty  at  the  crossing  point. 

Further  work  will  focuse  on  reconfiguration  by  reasoning  on  con- 
figurations with  the  same  core  algorithms  as  for  diagnosis.  This  will 
be  done  by  identifying  a set  of  goal  configurations  and  find  under  un- 
certainty a valid  plan  made  of  least  costly  endogeneous  commands 
to  reach  each  goal.  We  think  that  additive  improvements  could  also 
include  automatic  controller  synthesis  as  in  [2]  as  well  as  parameter 
estimation  based  on  the  causal  structure  of  the  continuous  level  in 
order  to  refine  the  tracking  of  the  system  when  in  its  unknown  mode. 
In  a near  future  more  results  are  to  come  out  as  our  implementation  is 
intended  to  be  tested  on  spacecraft  models  and  ran  on-board  ground 
based  satellite  hardware. 
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